Oracle E-Business Suite Security - Signed JAR Files - What Should You Do
Until recently the Oracle E-Business Suite allowed self-designed certificates to assure the validity of Java code run within end-users’ browsers. This meant that the Java JAR files downloaded from the middle tier server were tested by the end-user’s browser for validity using a certificate created by you and/or you organization during installation. Use of a Trusted Certificate Authority (CA) issued certificate, while always an option for enhanced security, is now a requirement. Oracle has recently deemed self-signed certificates as no longer being secure. Oracle strongly recommends that Oracle E-Business Suite users now sign their Java content using a Trusted CA.
- Does this apply to me? This requirement applies to you if you are running the later JRE releases – specifically 7u40 or above. As Oracle releases new versions of Java over time, and for many good security reasons, Integrigy recommends that you start signing your JAR files using a Trusted CA.
- What is Java JAR signing? - In short, signing code confirms the author of the code (where it is coming from) and that code has not been altered or corrupted. Each file in the Java archive (JAR) is programmatically profiled and an inventory file is then added to the JAR file. You then sign this inventory file using public key encryption. You sign using your private key and, once signed, your public key is then automatically inserted into the JAR file – this is your digital certificate of authenticity. When the JAR file is used, the end-user’s browser will verify your public key to test whether or not it should trust the JAR file. You buy your public and private keys from a Certificate Authority (CA). A good reference on Java JAR signing is here.
- How do I sign E-Business JAR files? - Follow the instructions in the Oracle Support note ID 1591073.1 to generate a certificate request, send the request to a CA, import the certificate once it has been generated by the CA and then regenerate your JAR files using the adadmin utility.
- What is a CA? Will this cost money? A CA usually is a third party such as Verisign or Thawte, who for a fee, will sell you a certificate. This certificate will then be verified by the master root certificates that ship with all major browsers. You can also be your own CA. However, if you decide to be your own CA, you will need to take responsibility for distributing your CA root certificates throughout your end-user community’s desktops and laptops.
- Can I use an existing SSL certificate to sign my Java JAR files? No you cannot. The two certificates are used for two different purposes. The SSL certificate authenticates your server and the code signing certificate verifies the authenticity of the code on the server. As such the two certificates are built differently to do two different tasks.
- Why is Oracle not signing their code? – There is an enhancement request for Oracle do this. There are also several reasons why Oracle is not signing their code that involve their flexibility to package and ship patches.
- Can I ignore this? – Talk with your IT security team. Depending on your version of Java there are options to setup a “whitelist” of applications that can ignore checking for signed code. This involves using “Exception Site Lists” or “Deployment Rule Sets”. If you attempt to use Deployment rule sets, you will need to distribute files to each end-user’s desktop. This is however, after you have a CA sign the DeploymentRuleSet.jar. Use of Deployment Rule Sets are typically used as an additional security tool along with signed JAR files.
- Will this require downtime? – Most likely yes. You may need to apply patches to begin signing code, and to sign your JAR files, the Application tier will need to be stopped while your JAR files regenerated.
- How often will I need to sign JAR files? - Every time you patch or potentially clone, depending on if, or how, you decide to share certificates among production, test and development.
- Can I share certificates among instances? - Yes. One certificate can be used for or multiple E-Business Suite environments.
- How should I protect my Private Key used to sign JAR files? – Very carefully is the answer. Do not leave your private key (adkeystore.* files) on the middle tier. Securely wipe it from the operating system after using it and store it in a secure location. You can also potentially use solutions from Vendor such as Symantec or Vormetric who offer hardware security modules, smart cards and smart card-type devices such as USB tokens. Lastly, you can also just use a USB thumb drive that is locked in a safe.
- What should I do? - Java security is only to become more stringent over time. Integrigy recommends that you start signing your code, preferably using a certificate from a third party CA. Set aside time for a small project and be prepared to apply patches and make changes to your cloning and post-cloning steps and procedures depending on if, or how, you decide to share certificates among production, test and development.
If you have questions, please contact us at firstname.lastname@example.org
- Enhanced JAR Signing for Oracle E-Business Suite, 19-March-2014, Doc ID 1591073.1 https://support.oracle.com/rs?type=doc&id=1591073.1
- Oracle Tutorial on Java JAR signing: http://docs.oracle.com/javase/tutorial/deployment/jar/intro.html